Deploy root/trusted publisher certificate file to windows machines

Question

I have a self-signed .cer certificate that I need to deploy to roughly a 1000 machines, running a variety of Windows versions from Windows XP and Server 2003 up to Windows 7 and Server 2008 R2.

SCCM is our normal deployment method, and have tried deploying these a few different ways and am bumping against the fact that either not all the required tools are available on all OS's or I'm just getting error messages on the automatic deployment that I don't see running them manually.

The most cross-platform friendly method that I've found is to grab a copy of CertUtil.exe and certadm.dll from a copy of XP SP3 that has the admin tools installed and drop that in the same folder as the .cer file, then use the following command lines in a batch file:

certutil.exe -addstore TrustedPublisher cert.cer

certutil.exe -addstore root cert.cer

This works fine manually running the batch file, but comes back with a variety of errors running it automatically.

Is there a better way to do this cross Windows platforms?

score 5 · Answer 1 · answered Aug 19 '10 at 10:28

5

As you have that many machines it seems reasonable to assume you're use an AD domain, in which case you can push the certs out using Group Policy Objects. There are numerous articles describing the steps, such as this one from Technet.

answered Aug 19 '10 at 10:28

John Gardeniers

27,262
12
53
108

Thanks, but although we do have group policies, for various reasons that wasn't an option for deploying this cert. – GAThrawn Aug 24 '10 at 13:42
Why? That's really the best solution you could ask for. – Massimo Aug 25 '10 at 09:00

score 3 · Accepted Answer · edited Apr 13 '17 at 12:14

3

Following clues from this prior question import certificate using command line in Win XP Home, and a fair bit of playing around, now have this consistently deploying across OS's.

Have extracted the following files from the 32-bit Win Server 2003 SP2 Admin Pack (KB340178) and saved together with the certificate in a folder on the packages source in SCCM:

certadm.dll
certcli.dll
certreq.exe
certutil.exe
cert.cer

Now ditching the batch file and creating two separate programs in SCCM with the following two command lines (both chained together into the one advert) it all seems to be working as an automated rollout across the OS's.

certutil.exe -addstore TrustedPublisher cert.cer

certutil.exe -addstore root cert.cer

edited Apr 13 '17 at 12:14

Community

1

answered Aug 24 '10 at 14:03

GAThrawn

2,424
3
20
38

1

Just be careful not to run this advertisement on computers which already have the certificates added. certutil.exe will prompt for confirmation before overwriting anything. This will result in the advertisement hanging in the background, and prevent any others from running. – Michael Steele May 13 '11 at 23:23
@MichaelSteele CertUtil.exe in Win2k8r2 has a `-f` option to force an `-addStore` – Signal15 Aug 12 '15 at 06:01

Deploy root/trusted publisher certificate file to windows machines

2 Answers2

Linked